Cisco Systems 3560X Manual De Usuario
25-12
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 25 Configuring Dynamic ARP Inspection
Configuring Dynamic ARP Inspection
Performing Validation Checks
Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address
bindings. You can configure the switch to perform additional checks on the destination MAC address,
the sender and target IP addresses, and the source MAC address.
bindings. You can configure the switch to perform additional checks on the destination MAC address,
the sender and target IP addresses, and the source MAC address.
Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP
packets. This procedure is optional.
packets. This procedure is optional.
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global
configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure
packets, use the show ip arp inspection statistics privileged EXEC command.
configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure
packets, use the show ip arp inspection statistics privileged EXEC command.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
ip arp inspection validate
{[src-mac] [dst-mac] [ip]}
Perform a specific check on incoming ARP packets. By default, no checks
are performed.
are performed.
The keywords have these meanings:
•
For src-mac, check the source MAC address in the Ethernet header
against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled, packets
with different MAC addresses are classified as invalid and are dropped.
against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses. When enabled, packets
with different MAC addresses are classified as invalid and are dropped.
•
For dst-mac, check the destination MAC address in the Ethernet header
against the target MAC address in ARP body. This check is performed
for ARP responses. When enabled, packets with different MAC
addresses are classified as invalid and are dropped.
against the target MAC address in ARP body. This check is performed
for ARP responses. When enabled, packets with different MAC
addresses are classified as invalid and are dropped.
•
For ip, check the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, and target IP addresses are checked only in ARP responses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses. Sender IP addresses are checked in all ARP requests and
responses, and target IP addresses are checked only in ARP responses.
You must specify at least one of the keywords. Each command overrides the
configuration of the previous command; that is, if a command enables src
and dst mac validations, and a second command enables IP validation only,
the src and dst mac validations are disabled as a result of the second
command.
configuration of the previous command; that is, if a command enables src
and dst mac validations, and a second command enables IP validation only,
the src and dst mac validations are disabled as a result of the second
command.
Step 3
exit
Return to privileged EXEC mode.
Step 4
show ip arp inspection vlan
vlan-range
vlan-range
Verify your settings.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.